05: How are DRIVE MAPS and UNC paths supported in PolicyPak Least Privilege Manager?
First, let’s start with UNC paths.
- UNC Paths are supported and honored.
- Note that the same UNC target could have different names, for instance
\\192.168.2.10\share might all point the exact same place.
- Each rule name is evaluated differently.
- Therefore, as an example… to make your UNC rules, you would need to cover all the bases:
- A rule could be for
\\fabrikam\Share which will work, but…
- You would also need a rule for
\\fabrikam.com\Share and also if desired…
- You would need a rule for
Tip: If you want to elevate all files in
\\SERVER\Share you must use
TARGET = FOLDER (see screenshot below.)
But if you want to elevate all files in
\\Server\Share AND all files in any subfolders (
\\Server\Share\Subfolder2, etc.) then you must specify
TARGET = FOLDER (recursive) (see screenshot below.)
Understanding Drive Maps in relation to UNC paths:
Think of drive maps like “shortcuts” which map to existing UNC paths. So, S: is really a map to
Therefore if you want to elevate something on the S: drive, you need to ALSO have the
\\server\share elevated expressly.
Additional thoughts for various rule types:
For EXE rules:
- You do not need to make any explicit “Drive map” rules. So, don’t elevate “S:” in PolicyPak Least Privilege Manager. That is incorrect syntax.
- Instead, you would make a UNC path rule for what S: is really pointing to.
- So, for instance, if you want to elevate all files in S: (which is mapping to
\\fabrikam.com\share), that’s fine:
- You don’t need to have a PolicyPak Least Privilege Manager rule to “Elevate S:”.
- You DO need to have a PolicyPak Least Privilege Manager rule to “Elevate
\\fabrikam.com\share” and select Folder or Folder (Recursive) as shown here.
For Non-EXE rules:
- Create the rules based on how the application is being accessed, in other words if the application will be accessed via a UNC path then create the rule using the UNC path. If the application will be accessed via a drive letter then create the rule based on the drive letter.
- So, for instance, if all of your Non-EXE applications reside in a folder normally accessed via the drive letter S: and you want to elevate all the Non-EXE files in S:
- You should create a PolicyPak Least Privilege Manager rule to Elevate the path to the folder using the S: drive and then select Folder or Folder (Recursive) as shown below.
To cover all bases you can also create the rule with all possible paths:
Troubleshooting Non-EXE rules:
- If an elevation rule does NOT work, you can create a simple path rule for any of the Non-EXE files, (ie. MSI) using a wildcard, for example: *\SkypeSetup.msi then launch the MSI after running gpupdate on the target machine and then check the PolicyPak event log to see which path was shown for the MSI (see screenshot below). Lastly, use that path for your Non-EXE rule: